This summer, we blogged about whether PACER was a factor in “Snitches Getting SStitches because the names of witnesses and informants are easily searchable in PACER documents. Now there’s question about PACER users being vulnerable to hackers.
Ars Technica reports on the Free Law Project’s claim that the PACER system has not invested sufficiently in securing its system and may have had a “pretty egregious” security flaw. More specifically, when PACER users visit a “booby-trapped webpage” while logged into PACER, technically known as a “cross-site request forgery,” hackers can charge download and search-query fees to those users. Free Law officials also wonder if this flaw could enable hackers to file court documents for attorneys who were also logged in to Pacer, creating potential disruption and complication.
Ars digs into the report on the flaw’s technical details.
“Free Law said the flaw was the result of Pacer failing to implement anti-CSRF protections that are standard on virtually all fee-based sites. The Open Web Application Security Project has long included CSRF in its top-10 list of website security flaws, and yet it’s likely the protections have never been present during the 22 years Pacer has been in existence.”
After Free Law reported the vulnerability to PACER’s administers, the Administrative Office of the U.S. Courts, it took six months for the flaw to be fixed. Free Law offered potential reasons for the delay: The 204 websites that compose PACER aren’t accountable to the Administrative Office but to separate courts (individual district, appeals, bankruptcy), and these separate court staffs are individually responsible for implementing security fixes.
Recently, while Free Law praised AO for its response to the vulnerability notification, it continues to be concerned for the security of the entire PACER system, noting many of the individual sites’ failing security grades when assessed by an external firm.
Ars reports that PACER’s profits and its online security investment don’t add up. Since 1995, PACER has earned $1.2 billion in profits.
“If the AO spent even 10 percent of that amount on security, it’s hard to imagine a flaw like the one discovered by Free Law being active for so long.”
AO Public Affairs Officer David Sellers emailed Ars a statement, asserting that the vulnerability had existed for years, there was no evidence that it was ever exploited and that it has been fixed in all courts. Sellers also insisted that security audits and scans are conducted regularly and that anti-CSRF technology has been in place for many years.